Firewall Wizards mailing list archives

Re: Transparent vs. Non-transparent AGs/SPFs/whatever

From: Bill_Royds () pch gc ca
Date: Fri, 25 Sep 1998 11:30:09 -0400






That doesn't reall answer the question I asked.  Sure, if I know
ahead of time that my user wants to telnet to port 2300, I can
configure my firewall to route traffic with a destination port
of 2300 through my telnet proxy app, no problem.  But What
if I don't know ahead of time what port people will be telnetting
to?

(this is assuming I want to proxy more than 1 protocol... if I'm
only allowing telnet out, then the telnet proxy could handle everything.)

And what if a different one of my users want to do HTTP to
port 2300 on a different host on the Internet?

(Again, the assumtion is that the telnet proxy is smart enough to
know that HTTP doesn't look like a proper telnet...  if a telnet
proxy lets HTTP through think that it's just a weird telnet session,
then that's just another circuit-level proxy as far as I'm concerned.)

                         Ryan

P.S. BTW, I think I probably already know the answer to this
thread Ive started, I'm just hoping I'm wrong.







The Raptor firewall has some support for this.
It can't determine the proxy needed from the stream content, but rules can
be set up as
use http for port 2300 to foo1.com
use telnet for port 2300 to foo2.com
called redirect services.

THis is deterministic and generally maintains the security policy, but it
does leave some room for spoofing protocols.

AG's run transparently if they are are the one the pip between protected
network (inside) and unprotected Internet (outside).
All default routes of inside network, whether default gateway or router
defaults point to inside NIC of firewall.
For your example, thee firewall rules then say if that if any traffic

comes

in from inside NIC for port 2300 it will be proxied as telnet. No other
service will be allowed on port 2300.
Similarily for external traffic. Since there are 2 sessions on firewall

for

each connection (from inside to firewall, from firewall to external
server), you can even change the port on the way through or even change

the

protocol (always change ftp to ftp-PASV running under http).
You are not restricted to carrying the same packets on each side of the
firewall.

Attachment: att1.eml
Description:

Current thread:

Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 23)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)
  - Re: why isn't there a newer linux fw-howto Stefan Laudat (Sep 25)
  - Re: why isn't there a newer linux fw-howto Kevin Steves (Sep 29)
    - RE: why isn't there a newer linux fw-howto Andy Burns (Sep 30)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Woody Weaver (Sep 25)
- <Possible follow-ups>
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 24)
  - Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
  - Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)